Take a look in your email’s spam folder, and you’ll find a sea of obvious, pathetic, sometimes hilarious phishing attempts. Occasionally, however, scammers get a bit clever and figure out how to scare you into sharing your most important information.
The latest Instagram phishing scam wants your backup codes
In this latest case, as reported by Trustwave, scammers are impersonating Meta, warning users their accounts are “infringing copyrights.” To make matters worse, they’ll emphasize that if you do not appeal this decision, Meta will delete your account within 12 hours. That’d be pretty awkward if you saw this email the following day, with a perfectly intact Instagram account.
To the trained eye, this initial message may be an obvious scam. While they get the Meta logo right, you might not fall for an intro that reads “Hi! Dear [Your Name],” or a direction that says “Click ‘Go to Form’,” when the button actually reads “Go to appeal form.” Meta also would never delete an account 12 hours after sending a warning email unless you “appeal” the decision first. If you dig deeper, the email address isn’t from Meta: It’s from “contact-helpchannelcopyrights[.]com,” and the URL to the appeal form goes to a Google Notification link, not a Meta URL. Suspicious…
However, many won’t see these red flags, and may click the appeal button as soon as possible to avoid losing their Instagram account. If you do, you’ll be taken to a fake Meta “Violation Status Central Portal,” where you can begin your “appeal.” Once you click through to another site to begin the process, the site asks you for your Instagram username and password (of course). But what the phishers are actually after comes next: They’ll ask if your account has two-factor authentication. If it does (as it should for maximum security), you will be asked to provide one of your backup codes for “protection.”
Let’s take a step back. Two-factor authentication (or 2FA) sends a code to a trusted device whenever you try to log into your account. It’s meant to keep intruders who know your username and password out, and is why you should never share your code with anyone. However, if you don’t have access to your trusted device, some services like Instagram use backup codes. These are pre-established codes that you can use on a one-time basis that act like 2FA. That way, even if you don’t have access to the text message with your 2FA code, you can use a backup code to authenticate yourself.
The scammers want you to provide one of your backup codes, following your username and password, so they can use it all to log into your account on their end. Once they do, they can reset both the password and the codes, locking you out of your account. Again, you should never hand out your 2FA or backup codes to anyone. Only use them when you are directly attempting to log into your account and are prompted to do so.
How to protect yourself from phishing scams
Scammers aren’t going to stop scamming, but you can make it harder for them to succeed. At this point, we should all stop checking our email. But, if you must, follow these general tips:
- Always check the domain of the sender. Often, a scammer will replace their name with the name of the company they’re impersonating (Meta, in this case), but if you click the name in your email app, you’ll see the full domain. It’s likely bogus.
- Be extremely cautious with links in messages. Before clicking, hover your mouse over the link and read the URL preview that appears. If the link is official, it should take you to a familiar domain (something related to Meta or Instagram). If it’s a jumble of nonsense, or a company name that has nothing to do with the email, that’s an issue.
- Be mindful of spelling, grammar, and formatting issues. These billion dollar companies don’t send out emails with mistakes: If the copy is poorly written, or if the formatting seems amateur, that’s because it is. It’s giving “graphic design is my passion.”
- If you do click a link and regret it, just close out of the window. Do not download anything or give any information away. False sites love to ask you to “sign in,” all the while recording your username, password, and other valuable information like your 2FA codes.
- If in doubt, reach out to the sender directly. If “Instagram” wants you to log in, log in from Instagram’s site yourself. If your boss wants you to wire money, call them directly. (Although I promise you, they don’t want you to.)
Leave a Reply
You must be logged in to post a comment.